It can't be used to attack you from the public Internet unless (a) you don't
have a firewall or (b) you have forwarded the IME port on your firewall to a
host on your LAN. You are, however, susceptible to other hosts on your LAN
guessing the IME password, so be sure to use a strong password.
On my old HP dc7900 IME is unconfigured and disabled out of the box.If
resetting BIOS to defaults doesn't disable it, removing the motherboard battery
for 30 minutes should do the trick.
You should be able to find an administrator's manual for IME via Google Search.
From: Dave Anderson <d...@daveanderson.com>
To: misc@openbsd.org
Sent: Friday, September 8, 2017 2:52 PM
Subject: OT - "Intel Management Engine" security issues
While this isn't specifically an OpenBSD issue, since OpenBSD emphasizes
security this seems like a good place to ask.
As far as I can tell the "Intel Management Engine" (IME) is a gaping
backdoor into every recent Intel-based system. My searches on the 'net
haven't turned up much useful information about it.
I'd really like to find documentation on how to configure and use it,
though I'd settle for just enough to know how to lock it down or disable
it such that it can't be used to attack me from the 'net.
While this wouldn't work for a laptop, for desktop systems it might be
sufficient to use an add-in NIC rather than the built-in one -- but the
limited info I've found suggests that the IME may be able to snoop on
all devices and so defeat this tactic. Does anyone here know?
Thanks for any information,
Dave
--
Dave Anderson
<d...@daveanderson.com>
